GLOBAL THREAT INTELLIGENCE REPORT: OCTOBER 2014

GLOBAL Threat Intelligence Report – OCTOBER 2014

Executive Summary

This month saw another fundamental flaw in a commonly used encryption mechanism for transferring data (Poodle) as well as an uptick in the attempts on last months Shellshock vulnerability on the Internet.

Alternatively more alleged espionage campaigns were detected this month by actors such as Russia which used phishing and the usual methods that APT commonly use to attack entities that they are interested in. Within all of this there is a sense that today if you are on the Internet at all then you are compromised.

At a corporate level however, this should prick your ears and give you pause as your company may in fact be compromised actively as you read this report. Additionally, it is important to understand the nature of the threats out there as well as the threats you have within your own networks. Reliance on reports from threat intelligence firms without actual intelligence analysis for your own organization does little to stop the threats that you have in your own domain.

You will find within this report some highlights of what was seen over the month of October in attacks, malware, and geopolitically in the world of Internet and computer security. Use this information to inform your organization on the vulnerabilities out in the wild as well as the data from within your org that shows just how vulnerable you may be to threats like these as well as others that you already have in situ.Global Threats

Global Threats

Threat Intelligence Feeds:

Analysis:

Threat intelligence is being sold as a commodity today for many companies to use as a means to protect their networks and domains. However it should be noted that not all threat intelligence is useful to every company. Threat intelligence needs to be analysed by the local security team and the business to understand whether or not the intelligence is valid for their situation. Lately the intelligence that has been put out by the likes of FireEye and Mandiant and others have been about nation state actors that may not have any interest in your companies network in the first place. Thus it is important to gather what data the feeds do have and to apply rules as well as patches for those vulnerabilities reported upon. However, in some cases such as the APT campaigns by APT-28 to date do not have any applicable vectors for C&C’s or IOC’s unless you are in Ukraine or are a part of NATO.

On the other side of this equation though, the 0day that was used and the subsequent patches that will be put out by Microsoft will play a large roll in stopping further attacks that other actors (primarily criminal gangs) will use to try and leverage the 0day that now is in the open and available to anyone who may want to use it to attack other systems for non political goals. It is important for executives and management to understand that not all actors, specifically not all “Advanced Persistent Threats” you hear about in the news are the threats that you need to worry about. These are nation state actors who are targeting very specific things in order to further their political goals. These are espionage activities and thus it is important to understand them as well as understand your network, your data, and what you do as a company that “may” interest them in attacking you at some point even if it is just as a pivot point to attack someone you work with. An example of this would be the attack on Target via the HVAC company that had lower security levels than Target themselves. Vet all your intelligence feeds by analysing the data being given to you and align it to your business model and your network, security, and profile.

APT Espionage Activities:

Sandworm and APT-28

Two APT campaigns were recently unearthed by two different threat intelligence companies and released to the internet. The first of the two was dubbed “Sandworm” because the malware involved had certain words associated with the Frank Herbet Dune Triology encoded in them. APT 28 was recently reported on by FireEye and covers much the same territory by ostensibly the same actor (Russia and the FSB) against the same targets NATO, Ukraine and also in the case of Sandworm, some networks concerned with power generation and ICS systems.

Analysis:

Both of these campaigns attacked the Ukrainian interests as well as NATO interests that the FSB and the Russian body politic is interested in. Where this type of activity meets many of your personal interests lay in the fact that the 0day that these campaigns used may be re-purposed for use by criminal gangs seeking to steal data such as credit cards and personal information. Seek out the reports on the 0day and the patches that go along with those reports from Microsoft to cover your patch cycles and insure that re-use is not possible in your environment. Also, since many crime syndicates in the Baltics tend to share command and control as well as coders with the FSB you should also input the C&C’s to insure that any traffic to them being re-purposed will be detected and blocked as well as reported on.

Malware & Crimeware

Crowti

Crowti Crypto-Malware Hits the United States

Win32/Crowti is a crypto-wall malware used to extort the end user in to giving money to the attacker to decrypt their files after infection. The system once rebooted will be encrypted and all access to it blocked by the attacker unless payment is received. The hard drive of the system will be encrypted thus all the data that is on the machine is subject to the extortion. This malware is being sent through various phishing campaigns and purportedly is being loaded onto machines via a framework of phishing/hacking software used by criminal gangs.

Analysis:

This attack has spiked in October from 4000 systems infected just within this month alone. The phishing campaigns distribution of the ransomware is carried out through spam email with malicious attachments posing as documents (invoices, faxes, complaints, reports) or missed call messages. If you are seeing this traffic you should block the subjects, sender, IP’s and any other pertinent details in your SPAM systems to block them coming in. If you are infected with the malware do not pay the ransom as reports of this have shown that they keys are not forthcoming from the extortionists. Instead you should re-image the machines infected and hopefully have backups of the data that was lost on the affected systems.

Multiple Infection Phishing Campaign

An email saying Please find attached Remittance and BACS confirmation for September and October Invoice pretending to come from random names, companies and email addresses with a subject of Remittance Confirmation [random characters) is another one from the current bot runs which try to download various Zbots,cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment. A very high proportion are being targeted at small and medium size businesses, with the hope of getting a better response than they do from consumers.

Analysis:

This malware campaign started October 31st 2014 and has been undetected by many AV clients so far. The only one to see this as malware early on was SOPHOS as a trojan. The file attached with the malware today was a .doc file (ZY5088152.doc) and when the file is opened the doc is empty but macros within the word file attempt to download malware. The campaign to date has been widespread and as such everyone should be on the lookout for this attack. The email subject is;

REMITTANCE CONFIRMATION *insert random string of numbers*

Once loaded the malware will attempt to download other packages (anything and everything it seems) in a gangbuster attempt to infect the machine in order to steal keystrokes and banking data.

Dyre/Dyreza

Phishing Campaign Linked with “Dyre” Banking Malware

The Dyre malware allows hackers to steal online bank passwords and other identification by infecting users’ computers to make it seem they are communicating with their financial institution via fake pages and or re-routing traffic in their DNS. Alternatively the malware installs a keystroke recorder and just records all actions until it captures the data the attackers want. The malware is spread by varying phishing attacks and is still evolving. The most common attack vector has been phishing emails with malware laden pdf files. The campaigns also have been using 0day attacks CVE-2013-2729 and CVE-2010-0188 in adobe reader.

Analysis:

The Dyre malware has been around since September of this year and still poses a threat. It is recommended that everyone patch for the Adobe vulnerabilities that have been seen used with these attacks as well as increase user awareness to disallow for the files to be opened. The user is the front line of the fight against malware and phishing, as such they should be as aware as possible of the dangers of opening unverified files and links from emails that they are not familiar with who the sender is. Additionally these programs of awareness should extend to phishing your own environment as a part of education to re-educate users who consistently click on links and files without checking them first.

Hackers using Gmail drafts to steal data and update malware

A malware and hacking campaign recently detected is using Gmail draft files to infect and connect with command and control systems without ever having to hit send on the mail itself. It is unclear what the malware type is exactly but the command and control method along with the use of Gmail as the channel is novel.

“What we’re seeing here is command and control that’s using a fully allowed service, and that makes it superstealthy and very hard to identify,” said Wade Williamson, a security researcher at Shape. “It’s stealthily passing messages back and forth without even having to press send. You never see the bullet fired.” ~itproportal.com

Analysis:

This attack seems to be very targeted and may end up being part of a release later on in a bigger campaign that will either be nation state or crimeware driven. The interesting bit is the use of the Gmail C&C method to communicate. This is something to keep your eye on for the future as well as to consider the use of Gmail within your domains as either personal or corporate business. It is really a bad idea to carry out company business on services like Gmail but some places actually allow it. In either case, now this may allow a new channel using python code to ex-filtrate data from your network.

Vulnerabilities

Poodle

POODLE vulnerability in SSL 3.0

Poodle is the name for a vulnerability and attack on the SSLv3 protocol. This is an older protocol and everyone should be at TLS level now as the de-facto means of SSL encryption for the tunnels today. However, a flaw in the old code allows for a block cipher decryption attack via a “Man in the Middle” attack. This means that an attacker would have to route traffic through an intermediary system to gain access to raw traffic (2k packets) to attempt to decrypt it and get the key cipher to continue reading all of the traffic thereon.

Analysis:

This vulnerability and attack is more commonly available to attackers who have assets in place to attack the encrypted session. This means primarily that the best way to attack this is to do this while someone is on a rogue WIFI AP or in certain other scenarios. This would be more prescient for any mobile users (i.e. at a cafe working) than anywhere else. It is important that within your environment you disable SSLv3 from being allowed as a protocol for all browsers and if you have systems that are connected to the internet they too should b disallowed from using SSLv3 and set to only use TLS. This is actually being forced on many who use browsers now by default with new installs of Chrome and other browsers today.

WGET:

Wget creates arbitrary symbolic links during recursive FTP downloads

GNU wget allows arbitrary filesystem access when creating symbolic links during a recursive FTP download. This allows an attacker to overwrite files with the permissions of the user running wget. A malicious FTP server, when configured to provide symlinks in the directory listing, can force the client wget utility to enter into the the specified local symlink, navigating the local file system for the attacker. Wget will then download and create or overwrite existing files within the local symlink, setting permissions to those of the remote files.

Analysis:

This attack can be detrimental depending on the rights at which the attack happens. If you are using a UNIX FTP that is configured with the right account levels this attack may be limited. If however the acct that the attacker uses has too many rights on the machine it could lead to further compromise of the system. It is recommended that everyone patch for this vulnerability as well as consider the need for FTP in the first place. What data do you have going in and out of an internet facing FTP? Should you not be using a secure FTP to start with?

DRUPAL

Drupal Releases Public Service Announcement

Drupal released a public service announcement to address active exploitations of a previously patched vulnerability found in Drupal core 7.x versions prior to 7.32. Automated attacks began compromising Drupal 7 websites that were not patched or updated to Drupal 7.32 within hours of the announcement of SA-CORE-2014-005 – Drupal core – SQL injection. You should proceed under the assumption that every Drupal 7 website was compromised unless updated or patched before Oct 15th, 11pm UTC, that is 7 hours after the announcement.

Analysis:

There is an ongoing SQLi attack against Drupal that updating the system to the current patch will negate. This attack has been seen in the wild in an automated attack and should be updated as soon as possible to prevent compromise. Attackers may have copied all data out of your site and could use it maliciously. There may be no trace of the attack.

IBM WebSphere

IBM WebSphere Application Server contains multiple vulnerabilities

IBM WebSphere Application Server, including the Hypervisor Edition, contains a cross-site request forgery (CSRF) vulnerability in the Administrative Console. The application also provides a URL that allows authenticated users to directly create and modify their session variables (“Session Injection”), including CSRF tokens.

Analysis:

A remote unauthenticated attacker may be able to execute arbitrary script in the context of the end-user’s browser session. Additionally, a remote unauthenticated attacker may be able to trick an authenticated user into making an unintentional request to the web server which will be treated as an authentic request and may result in information leakage or modification.

Analysis:

An attacker can leverage this issue to execute arbitrary code in the context of the currently logged-in user. Failed exploit attempts will likely result in denial-of-service conditions. This 0day has been patched now with MS14-060This security update resolves a privately reported vulnerability in Microsoft Windows. The vulnerability could allow remote code execution if a user opens a Microsoft Office file that contains a specially crafted OLE object. An attacker who successfully exploited this vulnerability could run arbitrary code in the context of the current user. If the current user is logged on with administrative user rights, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Customers whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

Directed Threats

<enter your own data here from IDS/SIEM/AV/LOG CORRELATION> for your own organization and report on what you are seeing on your network.

WORD FILE: to download and tailor to your org and give to your execs is HERE